#acl PaulHowarth:read,write,admin,revert,delete All:read === Monday 11th November 2013 === ==== Fedora Project ==== * Updated `perl-IO-Socket-SSL` to 1.958 in Rawhide: . Lots of behaviour changes for more secure defaults: * '''Behaviour change:''' make default cipher list more secure, especially: * No longer support MD5 by default (broken) * No longer support anonymous authentication by default (vulnerable to man in the middle attacks) * Prefer ECDHE/DHE ciphers and add necessary ECDH curve and DH keys, so that it uses by default forward secrecy, if underlying `Net::SSLeay`/`openssl` supports it * Move RC4 to the end, i.e. 3DES is preferred (BEAST attack should hopefully have been fixed and now RC4 is considered less safe than 3DES) * Default `SSL_honor_cipher_order` to 1, e.g. when used as server it tries to get the best cipher even if the client prefers other ciphers; '''please note''' that this might break connections with older, less secure implementations, in which case revert to '`ALL:!LOW:!EXP:!aNULL`' or so * '''Behaviour change:''' `SSL_cipher_list` now gets set on context, not SSL object, and thus gets reused if context gets reused; '''please note''' that using `SSL_cipher_list` together with `SSL_reuse_ctx` no longer has any effect on the ciphers of the context * Rework hostname verification schemes: * Add RFC names as scheme (e.g. '`rfc2818`', ...) * Add SIP, SNMP, syslog, netconf, GIST * '''Behaviour change:''' fix SMTP - now accept wildcards in `CN` and `subjectAltName` * '''Behaviour change:''' fix IMAP, POP3, ACAP, NNTP - now accept wildcards in `CN` * '''Behaviour change:''' anywhere wildcards like `www*` now match only '`www1`', '`www2`' etc. but not '`www`' * Anywhere wildcards like `x*` are no longer applied to IDNA names (which start with '`xn--`') * Fix crash of `Utils::CERT_free` * Support TLSv11, TLSv12 as handshake protocols * Fixed `t/core.t`: test used `cipher_list` of `HIGH`, which includes anonymous authorization; with the DH param given by default since 1.956, old versions of `openssl` (like 0.9.8k) used cipher `ADH-AES256-SHA` (e.g. anonymous authorization) instead of `AES256-SHA` and thus the check for the peer certificate failed (because `ADH` does not exchange certificates) - fixed by explicitly specifying `HIGH:!aNULL` as cipher ([[CPAN:90221|CPAN RT#90221]]) * Cleaned up tests: * Remove `ssl_settings.req` and `02settings.t`, because all tests now create a simple socket at 127.0.0.1 and thus global settings are no longer needed * Some tests did not have `use strict`(!); fixed it * Removed special handling for older `Net::SSLeay` versions that are less than our minimum requirement * Some syntax enhancements: removed some `SSL_version` and `SSL_cipher_list` options where they were not really needed * Clean-up: remove workaround for old `IO::Socket::INET6` but instead require at least version 2.55, which is now 5 years old * Fix `t/session.t` to work with older `openssl` versions ([[CPAN:90240|CPAN RT#90240]]) ==== Local Packages ==== * Updated `perl-Archive-Zip` to 1.33: * Experimental Unicode in file/dir names * Add decryption support * Updated Perl dependency to 5.006 to reflect implicit dependencies in the code exposed by `Perl::MinimumVersion` `xt` test * Set compressed size and uncompressed size of an entry to `0` if either of them is `0` ([[CPAN:68446|CPAN RT#68446]]) * Added `$VERSION` to `crc32` * Unlink temporary files generated by `tempFile` ([[CPAN:89777|CPAN RT#89777]]) * Various minor bug fixes * Typo fixes ([[CPAN:59102|CPAN RT#59102]], [[CPAN:86600|CPAN RT#86600]]) * Updated `perl-IO-Socket-SSL` to 1.958 as per the Fedora version * Updated `perl-Path-FindDev` to 0.4.2: * Minimum perl declared is now 5.8, and tested to work on 5.8; however, the version scheme is x.y.z still, which means if you want to depend on a specific version in Perl code, you'll need a recent enough `version.pm` to make it work * Updated `perl-Text-CSV_XS` to 1.02: * Add example for reading only a single column * Don't store `NULL` in `_ERROR_INPUT` ([[CPAN:86217|CPAN RT#86217]]) * Prevent double-decode in csv-check * Add `decode_utf8` attribute (default is `true`) * Updated the `python-twisted` stack to 13.2.0 (see [[http://twistedmatrix.com/Releases/Twisted/13.2/NEWS.txt|NEWS]] for details) ----